Analysis
-
max time kernel
148s -
max time network
154s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
01/10/2024, 22:01
General
-
Target
290a0370e71bfb1a98d3353775e9729ce5dccf7c4498ce77f0e302808fba9e6c.apk
-
Size
2.2MB
-
MD5
e55598deed9f21ae32dddfe61b42bd53
-
SHA1
3f645b96142f78f87e3abd0f454021950342a67f
-
SHA256
290a0370e71bfb1a98d3353775e9729ce5dccf7c4498ce77f0e302808fba9e6c
-
SHA512
4442351b5f08a4c753f90e8626a26ce3471e176d3941181f54383e9c7d3ca743460e889299c96c999401e442dda0bbe8fef399c490af14f2ca71aba28542688e
-
SSDEEP
49152:IyTgiyYRjJ0uz8H+4YgSJ0mfOmKE1Of6G03c/p0ViRfNR0/U:ZhyujDz8H+4XS9rH1g6Nk0ViRFRIU
Malware Config
Extracted
octo
https://dijitaldunyayenifikirlervegirisim.xyz/YjdkMWRjNTllNzZi/
https://teknolojininileriyeniliklerrehberi.xyz/YjdkMWRjNTllNzZi/
https://sanatvedogaltasarimlarincografyasi.xyz/YjdkMWRjNTllNzZi/
https://kulturvesanatprojelerindogalteknikler.xyz/YjdkMWRjNTllNzZi/
https://fotografvesanatgozlemlerinesinlen.xyz/YjdkMWRjNTllNzZi/
https://yemektariflerivedogalurunlerkulubu.xyz/YjdkMWRjNTllNzZi/
https://gezginlericinyenirotalarvetavsiyeler.xyz/YjdkMWRjNTllNzZi/
https://sporseverlericinyeniharaketlerrehberi.xyz/YjdkMWRjNTllNzZi/
https://bilimveteknolojionerileridunyasi.xyz/YjdkMWRjNTllNzZi/
https://egitimvegirisimcilikdunyasindan.xyz/YjdkMWRjNTllNzZi/
https://sanatveguncelprojelerplani.xyz/YjdkMWRjNTllNzZi/
https://dijitaloyunvegirisimcilikakademisi.xyz/YjdkMWRjNTllNzZi/
https://dogalhayatvetatilrehberiniz.xyz/YjdkMWRjNTllNzZi/
https://kisiselgelisimvesosyalmedyayonetimi.xyz/YjdkMWRjNTllNzZi/
https://yasamvedogalyontemlerklavuzu.xyz/YjdkMWRjNTllNzZi/
https://kitapvedijitalokumakulubu.xyz/YjdkMWRjNTllNzZi/
https://sinemavetelevizyonprojelerigozlemi.xyz/YjdkMWRjNTllNzZi/
https://oyunvegencgirisimcilergelisim.xyz/YjdkMWRjNTllNzZi/
https://fotografvegundelikgozlemplatformu.xyz/YjdkMWRjNTllNzZi/
https://yeniseyahatvedogalgeziler.xyz/YjdkMWRjNTllNzZi/
Extracted
octo
https://dijitaldunyayenifikirlervegirisim.xyz/YjdkMWRjNTllNzZi/
https://teknolojininileriyeniliklerrehberi.xyz/YjdkMWRjNTllNzZi/
https://sanatvedogaltasarimlarincografyasi.xyz/YjdkMWRjNTllNzZi/
https://kulturvesanatprojelerindogalteknikler.xyz/YjdkMWRjNTllNzZi/
https://fotografvesanatgozlemlerinesinlen.xyz/YjdkMWRjNTllNzZi/
https://yemektariflerivedogalurunlerkulubu.xyz/YjdkMWRjNTllNzZi/
https://gezginlericinyenirotalarvetavsiyeler.xyz/YjdkMWRjNTllNzZi/
https://sporseverlericinyeniharaketlerrehberi.xyz/YjdkMWRjNTllNzZi/
https://bilimveteknolojionerileridunyasi.xyz/YjdkMWRjNTllNzZi/
https://egitimvegirisimcilikdunyasindan.xyz/YjdkMWRjNTllNzZi/
https://sanatveguncelprojelerplani.xyz/YjdkMWRjNTllNzZi/
https://dijitaloyunvegirisimcilikakademisi.xyz/YjdkMWRjNTllNzZi/
https://dogalhayatvetatilrehberiniz.xyz/YjdkMWRjNTllNzZi/
https://kisiselgelisimvesosyalmedyayonetimi.xyz/YjdkMWRjNTllNzZi/
https://yasamvedogalyontemlerklavuzu.xyz/YjdkMWRjNTllNzZi/
https://kitapvedijitalokumakulubu.xyz/YjdkMWRjNTllNzZi/
https://sinemavetelevizyonprojelerigozlemi.xyz/YjdkMWRjNTllNzZi/
https://oyunvegencgirisimcilergelisim.xyz/YjdkMWRjNTllNzZi/
https://fotografvegundelikgozlemplatformu.xyz/YjdkMWRjNTllNzZi/
https://yeniseyahatvedogalgeziler.xyz/YjdkMWRjNTllNzZi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.follow.trial1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.follow.trial/app_ice/xE.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.follow.trial/app_ice/oat/x86/xE.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD53280903c96e56198c5e9dc71dd283488
SHA1c06473240b3421392ac4726ec58fb13cbf3faf1d
SHA256c9138e7939a4cdd6f4c6e81b5ca2b705a5732374758a0fc56e30fc15026f5008
SHA512fc17a1d0a47206b8e8cfb5f54903db8b40c41df17911f6e7ed425f3dcc808d541addde7bea60c96a8391818db9937cb2aacd01a81f58dd052dc785c6d996867b
-
Filesize
153KB
MD507e1257d896efcd6f8a4b005b1908e0a
SHA1142453f98ff31adc1ad74215edfcf39b0c6f1f79
SHA25691bcf03589cff55fffcec4c6f8fcf38394b2a2481902b4dd3108c44b0f508e09
SHA5124dcaacdc7f372857c316fb41c8f45292361b2622fb1e95dca91cdd78405e30074c140c0b9bc08b464bb613e49aa12b94a978ba3b4379c12e1d59104fa13df466
-
Filesize
451KB
MD5de3d124d7f41943f04c72a10a427db16
SHA1a13f6db62175992c55baf58f2748569cb31331ce
SHA256305fa94aa4bc0c34d62fcf122b90495734e469c228211272c02b192fce6515d3
SHA5128ffd5af92358c6bbfec513451abb155d191bb5fd7e598e7e209fc198441174ebdb6110d117b1ab93fbdc606e197ee05fdb4da8cfec0427ef54ad867cd8dc3425
-
Filesize
451KB
MD5fdad001f53900c84a8e79e46e6611969
SHA13f962437a4938bb1ea0663d6d5c46aa3beb668e6
SHA256382bbfbc461c93fdd76f5539ae7848d95bc51751e6f6848d947f11e2b700ffde
SHA512faebe5ff59427fabcbd3ea8acff633fcaaa40cce048b7b4b0f36ad5586557f2ad035211bd68a91f9ab45737a53060ebc76f5b0ffb43e4fea591b19853ac5d014